A security measure against viruses??

[reversing_drive 0]

I find that i most cases in Win2000 when using the operating system, installing, unistalling apps, up[censored] , new drivers, tweaking ect... you would be either most of the time (If not all the Time) logged on as administrator, OR have a separate user profile with administrative privelages.

 

But say you have a second profile, which has the same rights as the guest account (though not enabling guest account because it has the fixed 'guest' PW).

Using this profile, are many viruses (Damaging types, modifying system files ect...) stopped in their tracks because they are restricted to behaving within the user rights of the guest account, ie. would they be helpless in trying to modify any system files because of auditing & user rights?

 

While on the same note, would hackers have a harder time modifiying a users computer remotley because of the restrictions the current user has?

 

Just a thought?

 

May be usefull in some circumstances, if this is the case

 

Cheers.

[Brian Frank 0]

No, I really don't think that does any good. What about the Melissa and Love letter viruses? I hardly think all those affected were logged on as an admin or with admin privelges. Logged on as guest, or a limited user in most cases. Obviously, this didn't do any good.

Unless someone can prove that this works.

A virus is indifferent to who's logged on. Ever heard of the Fun-Love virus? Nasty, infects anything that touches it, including the virus scanner!!! It doesn't give a crap about who you are, and you're in computer hell regardless.

[reversing_drive 0]

Just picking up on what you said, BrianF.

I realise that many viruses would not be hindered in any way through restricted user privelages, since most viruses are merely "annoyance type viruses", which there prime objective is to spread as fast as possible clogging up email servers, and services accross the internet, where some of the variants may or may not cause dammage to the users system.

 

However i was more interested in disscussing weather user privelages would restrict in any way the liklihood of highly damaging viruses being able to actually modify, delete, corrupt ect.. system files and other files which are otherwise restricted in most cases to 'readonly' basis for "Guest-user-privelages".

 

Wouldn't most system critical files be protected through security's set in the NTFS

Isn't a virus (in most cases) essentially an application which has to run under the user environment which has been set? For example, user privelages restrict installation of programs in a "Guest logon" because the system will not allow any system changes while a user is logged on under those restricted privelages.

 

And APK, i'm interested in what you mention about "hidden share/hidden user" is there actually a way to bypass the restrictions put on a particular "user-logon"?

 

And what does all this mean in the case of hackers, trying to damage or modify system critical files on your computer?

 

I suppose the fact that most viruses aren't written specifically for NT, rather for MS Windows as a whole, some viruses probably are unable to function properlly under NT depending on what user actions are allowed under a particular logon, another thing with Win2K "Windows File Protection" probably would step in for milder, more obvious attacks on the system, or?

 

Anyway some thoughts,

Cheers,

 

PS: Thanks 4 your feedback:p

[clutch 1]

Yes, in some cases, the "average" user account may not have enough privies to run some of these worms. This happened for me (fortunately) when a user of mine kept trying to view this "joke" (a vbs worm) over and over again. He then came to me looking for help on seeing this "joke". I told him that he was actually launching a worm and there wasn't a joke in his email. He still wanted to see the joke. So, I just told him that he was the joke, and I then checked his system for infection. The script couldn't execute itself due to the nature of his permissions in NT4, and the PC managed to save itself in spite of its user. Bear in mind though, that this doesn't work for all or even most of the worms and viruses out there. You still need a virus scanner if you are at risk to exposure.

[OLEerror 0]

There are quite a few viruses that can be stopped dead in their tracks by using an account with limited privileges. Especially older viruses that are still "in the wild." Another thing such an account does is hinders what a hacker can accomplish should he get into you system. If the account that is accessed has few rights to create/modify/delete files, there is little the hacker could do. Especially if the account is restricted from modifying the Registry or installing software.

[DrPizza 0]

Quote:

Originally posted by reversing_drive
I find that i most cases in Win2000 when using the operating system, installing, unistalling apps, up[censored] , new drivers, tweaking ect... you would be either most of the time (If not all the Time) logged on as administrator, OR have a separate user profile with administrative privelages.

But say you have a second profile, which has the same rights as the guest account (though not enabling guest account because it has the fixed 'guest' PW).
Using this profile, are many viruses (Damaging types, modifying system files ect...) stopped in their tracks because they are restricted to behaving within the user rights of the guest account, ie. would they be helpless in trying to modify any system files because of auditing & user rights?

Yes. Absolutely correct.

This won't stop all viral actions -- for instance, they'll still be able to e-mail themselves to other people -- but gone will be the ability to modify system files, much of the registry, and so on.

Viruses aren't "special". They have to live by the constraints that the OS imposes on them. If you're an Administrator, there are very few such constraints (and many of those there are can be turned off).

The viruses will be able to infect files you have write access to (if your ACLs are set strictly, that will mostly be limited to those files within your profile directory), and alter registry keys you have access to (if your ACLs are set strictly, that will mostly be limited to HKCU), and will still be able to, for instance, e-mail itself to people. But it won't be able to damage system files, or do many of the more nasty things that viruses do.

Quote:

While on the same note, would hackers have a harder time modifiying a users computer remotley because of the restrictions the current user has?

Depends. If, for instance, they get the user to run a trojan, that trojan will only be able to do things that the user account can do. So if it's unprivileged (and the system has been secured through ACLs), then it won't be able to, say, damage system files.

[DrPizza 0]

Quote:

Now, what makes ME wonder, is the "SU" type mechanism (or "run as" service or rightclick for explorer.exe extensions) itself.

I would guess that only lets you do things as users less than yourself, or it'd be one heck of a security hole!

No, of course not.

su and RunAs both require password authentication. So they can't be used to elevate privileges.

[reversing_drive 0]

Thanks guys, for your feedback.

 

I found it all quit interesting, and it seems that in some cases it would be usefull to run such a setup (second user with retarded previlages).

 

Cheers,

 

PS=> Now don't go into to much detail, for all you guys know i could be the next virus mastermind, taking your opinions into account for my next project. 8)

 

... j/k lol, not likely:p

[DrPizza 0]

No. There have been holes where a process running as a privileged user has been compromised so that rather than running the code of the process it runs arbitrary code of the exploiter's choosing. These traditionally use buffer overflows of some variety (where a program creates a fixed-size buffer and proceeds to copy too much information to it, overwriting its stack).

[reversing_drive 0]

Quote:

Me? I don't like running with 1/2 a$$ed priveleges... many times I can't to do certain things! Setting up my system? I need them...!

Yeah i normally wouldn't run with any other privelages than 'Admin' privs, but at the end of each month i will usually use up any extra Internet hours downloading Music Videos and Mp3's using Peer2Peer apps, i just feel a little uneasy leaving the computer unattended during the night:( when logged on the net.

Quote:

Watch it with emails, get a good AntiVirus, and disable macros... in apps & script scraps too! Change the .vbs file association to do that, easy rig for that!

Yeah i'm cautious of any emails with perculiar Subject lines or execuatable attachments, or any unexpected email from strangers with attachments. I will usually forward it to my Hotmail and check it out at UNI... if it looks interesting enough.
I use Mcafee5.21 and update .dat's every chance i get, i visit windowsupdate at least once a week and i run Zonealalrm 2.6 (With 'mailsafe' feature enabled.)
I plan to reupgrade to IE6 when Mcafee releases it's compatibility patch.
I have .vbs assosiated to open with notepad.

Quote:

P.S.=> Works for me! I personally, would LOVE to meet some "serious hacker" & have him try to break my machine online... just to see if it could be done! apk

I see your point, it is rather frustrating putting hours of work in to secure your system as much as you can, then don't have any real use of it. But then again, most of the time... would you really know if someone tried to hack you. You wouldn't really know untill they were successfull (In most cases).
The same really goes for viruses, i hardly ever get viruses sent to me (I guess this is a good thing), though it makes me wonder if it's really worth the effort sometimes. It is really exciting when Mcaffe catches one. It's only happened twice and they were old viruses anyway ;(.

But hey i wouldn't be inviting people to hack your system man if i were you. Unless you feel you got nothing to loose, or have nothing to hide, some crazy folk might well take you up on that offer, and trust me there are many more patches & service packs to come (For Win2k & XP alike), and that's not just compatibility updates there sure are some security holes left i bet.

But thanks again for your thoughts and opinions, this has been an interesting topic.

Cheers,